Cross-Chain Bridge has overtaken traditional mixers as the main tool for stolen encryption in early 2025, moving funds that have been hacked for over $1.5 billion. Their speed, liquidity and light regulations scrutiny have made tornado cash much more attractive than mixers to mask the origins of assets.
summary
- The Crypto Hacks in the first half of 2025 were hit at unprecedented levels, with over $3 billion stolen in 119 incidents, 50% more than everything in 2024.
- Hackers are moving their funds more than ever, often washing their assets through cross-chain bridges rather than mixers, and some thefts are completely obscure just a few minutes before publication.
- Centralized exchanges remain major cash-out points, with limited recovery efforts, and most stolen funds will be washed quickly or await future movements.
The first half of 2025 marked one of the most destructive periods in the history of cryptocurrency hacks. More than $3 billion has been stolen in 119 individual incidents, according to a recent report from Global Ledger shared with Crypto.News.
However, the enormous amount of attacks is not the only alarm bell. The speed at which hackers move stolen funds often before the theft became publicly known – has fundamentally changed the landscape of code crime, analysts say.
Hackers were washed more than 4.4 times via bridge than H1’25 mixer | Source: Global Ledger
“Attackers are moving faster and often wash their funds before the incident is publicly known,” the report said. In one case, the fastest movement of a hacked fund took just four seconds, effectively giving the attacker a head start measured by the blink of an eye. This speed is severely limiting the current warning system and the ability of regulators to intervene before money disappears.
By breaking down the timeline, analysts identified key patterns of how stolen assets are handled. We identified how quickly they move, and which parts of the crypto ecosystem are most exploited, leaving them idle.
“Knowing these timing patterns helps detect suspicious activity faster and reduce the need for window attackers to wash their funds. It’s not just about responding, it’s about predicting the next move.”
Global ledger
Bridges surpass mixers as washing tools
Perhaps the most important finding is about the methods hackers use to obscure the origins of stolen codes. The Cross-Chain Protocol (also known as the Cross-Chain Bridge) appears to be the preferred method for washing stolen codes.
In the first half of 2025, more than 50.1% of the hacked assets exceeded $1.5 billion were routed through the bridge. This sends $339 million (about 11%) to the crypto mixer, but it’s still used in about half of the hackcase.
You might like it too: Almost half of the stolen codes remain unborn, data shows
As Global Ledger points out, the cross-chain protocol’s capabilities are “heavy leveraged by illegal actors, making them an important tool for obfuscating the origins of stolen funds.” The report suggests that the bridge is overtaking the mixer because it “could be due to reduced speed, fluidity and regulatory scrutiny.”
Mixers like Tornado Cash scrambled funds by mixing with others to break traceability, but were once the standard for the laundry of encrypted that was stolen in hacks. Bridges that allow for rapid transfer of assets between different blockchain networks now seem to provide faster movement and access to multiple liquidity pools, making it easier for hackers to move more quickly and costly, complicating law enforcement pursuit efforts.
Crypto exchanges remain the main cash-out point
Another area of insight concerns where stolen funds will eventually land. Analysts say that about 15% of the hacked assets ($453 million) flow into central exchanges and “is likely to be used for further cash out.” In contrast, the decentralized finance platform received only about a third of that amount, and received about $170 million or 5.6%.
Despite the rapid growth and total value of defi usage locked in, the report highlights that centralized platforms continue to be the major off-ramp for laundry stolen funds, suggesting that for all promises, Defi Protocol has not yet replaced traditional exchanges as a go-to destination for hackers looking to convert Crypto into FIAT or lesser territory.
The report also draws a subtle picture of recovery efforts. Of the total stolen amount, nearly 13% ($379 million) may have been frozen or burned. Meanwhile, only 4.6% (approximately $140 million) were voluntarily returned.
As Global Ledger says, enforcement efforts have had some impact. “But spontaneous returns remain rare,” he emphasized, “most recovery still relies on rapid intervention, not well-intention.”
It’s just a matter of time
The key point is the incredible speed at which the attacker acts. Funds from nearly one in four hacks were completely washed before public disclosures occurred, closing windows for law enforcement to track or freeze the assets. The fastest complete washing process from theft to the final deposit was just 2 minutes and 57 seconds, and was enough time to flash.
At 68.1% of hacks, funds moved before disclosure Source: Global Ledger
“Speed has become a new and dangerous weapon,” the report warned, saying that the fastest movement of stolen funds is “more than 75 times faster than the alert system.” As funds begin to move, the trail gets colder in hours or minutes. The attacker is clearly taking advantage of this narrow response window. In more than 30% of cases, illegal actors completed their laundry within one day of their initial wallet movement.
At the time of the report’s investigation, $1.6 billion, or 53.6% of the total loss, remained unused. That is, these funds either did not move or stopped moving. The report suggests that some of this amount is “highly likely that the attacker has been washed as the heat may be waiting for the heat to die.”
read more: Bridges are nowhere for blockchain communications | Opinion
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
